Endpoint policy before restoration #36433
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
a61a122 to
f3c7e69
Compare
|
/test |
f3c7e69 to
8dd87a8
Compare
|
/test |
8dd87a8 to
4d36bda
Compare
|
/test |
4d36bda to
ac91218
Compare
|
/test |
ac91218 to
acae7a4
Compare
|
/test |
acae7a4 to
608932e
Compare
|
/test |
608932e to
c1e09bb
Compare
|
/test |
c1e09bb to
60eb197
Compare
|
/test |
60eb197 to
3872308
Compare
doniacld
approved these changes
Jan 9, 2025
christarazi
reviewed
Jan 9, 2025
Compute endpoint policy before scheduling bpf regeneration. This may allow for faster initial proxy policy sync with Envoy and thus make 'toFQDNs' policies more responsive during Cilium Agent restarts. With this endpoint's desiredPolicy may already be computed when the endpoint is queued for regeneration. This has two consequences: 1. The version handle of the desired policy may not have been closed when endpoint is removed while it is waiting to be regenerated. Thus we need to mark the desired policy as 'Ready' when removing the endpoint to avoid warning logs. 2. Endpoint's policy may get updated while it is waiting to get regererated. If this happens the policy needs to be recomputed when endoint regeneration is started. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
…ation Only pre-compute endpoint policy on first regeneration. This avoids extra work if the endpoint policy gets updated while it is waiting to be regenerated. Start serving xDS resources to Envoy as soon as the policies of all restored endopoints have been computed, rather than waiting for them to have been fully restored. This allows Envoy to get policy updates sooner on restart. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Add an optional stacktrace to VersionHandle, which is set if debug is enabled. This is logged if a VersionHandle finalizer is needed for cleanup and helps debug unclosed version handles. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Log the calling file and line in EndpointPolicy.Detach if the policy was not marked as Ready at the time of the Detach call. This helps finding out where the problem may lie. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
c45575c to
f2be250
Compare
|
/test |
sayboras
approved these changes
Jan 13, 2025
christarazi
reviewed
Jan 14, 2025
christarazi
approved these changes
Jan 14, 2025
45 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Start serving xDS resources to Envoy as soon as policies for all restored endpoints have been computed, rather than waiting for them to be fully restored.